A recent cyber campaign has been identified, targeting vulnerabilities in Internet Information Services (IIS) to spread a malware known as BadIIS. This attack manipulates search engine optimization (SEO) results, redirecting users to illegal gambling sites or malicious servers, primarily affecting several Asian countries.

Widespread Impact and Financial Motivation

Research indicates that the attack is financially motivated, with victims being redirected to illicit gambling websites. The campaign has already impacted countries such as India, Thailand, and Vietnam, and poses potential threats to the Philippines, Singapore, Taiwan, South Korea, Japan, Brazil, and Bangladesh.

Compromised IIS servers belong to various sectors, including government agencies, universities, technology firms, and telecommunications companies. Analysis suggests a link to Chinese-speaking threat actors, based on domain data and Chinese-language code strings found in the malware samples.

For more information on IIS vulnerabilities, visit Frebniis Malware Exploits Microsoft IIS Feature.

How BadIIS Operates

Once deployed, BadIIS modifies HTTP responses, resulting in two main outcomes:

  • SEO Fraud Mode: The malware examines the user's search history and redirects traffic to illegal gambling sites when visitors arrive from search engines like Google, Bing, and Baidu.
  • Injector Mode: It injects malicious JavaScript into web pages, redirecting users to attacker-controlled sites hosting malware or phishing schemes.

To enhance their success, attackers use keywords from search portals to identify genuine users versus search engine bots. The malware then alters the HTTP response to deceive SEO trackers and boost visibility for illegal content.

Strengthening IIS Security Against Attacks

Given the widespread use of IIS across enterprises, securing these servers is crucial. Trend Micro recommends several measures to protect against threats like BadIIS:

  • Regularly update and patch IIS servers.
  • Monitor for unauthorized IIS module installations.
  • Restrict administrative access with strong passwords and multi-factor authentication (MFA).
  • Implement firewalls to filter suspicious network traffic.
  • Continuously review IIS logs for signs of compromise.
  • Disable unnecessary services to minimize vulnerabilities.
The link has been copied!